ABB Cyber security is embedded in Symphony Plus

Cyber security is embedded

in Symphony Plus

Cyber security is embedded in all phases of ABB’s system life cycle. Security for Symphony Plus

adheres to the SD3+C Security Framework (created by Microsoft) to en sure and improve security in

system components. This means that cyber security is addressed at each stage of our system

life cycle, from design and development to maintenance.

Secure by Design

The goal here is to make sure that security bugs or vulnerabilities are not present in new software.

To accomplish this, cyber security must be a factor from the very start of product design. And through

all phases, from creating the specification, through writing the code, and testing the product.

A securebydesign philosophy manifests itself as security training, code reviews and walkthroughs,

threat analysis, and robustness testing of products.Security is integrated in ABB’s quality management

system. Formal threat analysis and threat modelling provide the basis for security

requirements and design principles for the system.

Security checkpoints at project gates ensure that security objectives are met.

One key element of this process is our independent robustness test lab, the ABB Device

Security Assurance Center, where our products are tested. This laboratory is run by dedicated

personnel who are not part of any product development team. They use several specialized

security testing tools, for example Achilles Test Platform and Nessus scanners.

In addition to our adoption of SD3+C Security Framework and extensive internal testing

performed by ABB’s Device Security Assurance Center (DSAC), ABB has embraced third party

security certification to IEC62443 standard by ISA Secure Certification Institute (ISCI),

Symphony Plus security features are designed to meet regulatory requirements and includes

features to help enable compliance such as user account management, rolebased access control,

user authentication, audit trail, etc.

Secure by Default

The goal in this phase is to create default product installations and configurations that are more

resistant to attack, by reducing the attack surface (the number of points a hacker can attempt to

exploit). To accomplish this goal, software must be installed in its most secure configuration and

must stay that way until the customer takes informed steps to loosen it.

Symphony Plus is installed in a predefined way, which makes the process easy and reliable,

ensuring that settings are done in a consistent and repeatable way. Functions and features that

are not needed are disabled or not installed, and Windows Firewall is configured to only enable

necessary communication ports. Symphony Plus gives control engineers a unique opportunity to

manage access for each user. Access can be granted based on parameters such as who and

where the user is, what the user wants to do, and on which aspect object.

Secure by Deployment

The goal here is to ensure that the products can be installed, configured, operated and maintained

in a secure way. User documentation describes how to install and operate Symphony Plus

at the highest level of security. Documentation includes recommendations on how to build secure system

architecture using security zones and defense in depth. Security compliance project checklists

make sure that all important steps are taken during project execution to ensure a secure

deployment. Systems in operation are kept secure with monthly security patch updates and daily

anti virus updates.